2020-04-08 21:07:11 +00:00
|
|
|
package server
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"encoding/base64"
|
2020-04-09 15:37:46 +00:00
|
|
|
"github.com/cbeuw/Cloak/internal/common"
|
2020-04-17 13:21:17 +00:00
|
|
|
"github.com/cbeuw/Cloak/internal/server/usermanager"
|
2020-04-08 21:07:11 +00:00
|
|
|
"io"
|
|
|
|
"net"
|
|
|
|
"net/http"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
mux "github.com/cbeuw/Cloak/internal/multiplex"
|
|
|
|
log "github.com/sirupsen/logrus"
|
|
|
|
)
|
|
|
|
|
|
|
|
var b64 = base64.StdEncoding.EncodeToString
|
|
|
|
|
2020-04-10 10:07:38 +00:00
|
|
|
func Serve(l net.Listener, sta *State) {
|
|
|
|
for {
|
|
|
|
conn, err := l.Accept()
|
|
|
|
if err != nil {
|
|
|
|
log.Errorf("%v", err)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
go dispatchConnection(conn, sta)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func dispatchConnection(conn net.Conn, sta *State) {
|
2020-04-08 21:07:11 +00:00
|
|
|
remoteAddr := conn.RemoteAddr()
|
|
|
|
var err error
|
|
|
|
buf := make([]byte, 1500)
|
|
|
|
|
|
|
|
// TODO: potential fingerprint for active probers here
|
|
|
|
conn.SetReadDeadline(time.Now().Add(3 * time.Second))
|
|
|
|
i, err := io.ReadAtLeast(conn, buf, 1)
|
|
|
|
if err != nil {
|
|
|
|
log.WithField("remoteAddr", remoteAddr).
|
|
|
|
Infof("failed to read anything after connection is established: %v", err)
|
|
|
|
conn.Close()
|
|
|
|
return
|
|
|
|
}
|
|
|
|
conn.SetReadDeadline(time.Time{})
|
|
|
|
data := buf[:i]
|
|
|
|
|
|
|
|
goWeb := func() {
|
|
|
|
redirPort := sta.RedirPort
|
|
|
|
if redirPort == "" {
|
|
|
|
_, redirPort, _ = net.SplitHostPort(conn.LocalAddr().String())
|
|
|
|
}
|
2020-04-08 23:34:02 +00:00
|
|
|
webConn, err := sta.RedirDialer.Dial("tcp", net.JoinHostPort(sta.RedirHost.String(), redirPort))
|
2020-04-08 21:07:11 +00:00
|
|
|
if err != nil {
|
|
|
|
log.Errorf("Making connection to redirection server: %v", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
_, err = webConn.Write(data)
|
|
|
|
if err != nil {
|
|
|
|
log.Error("Failed to send first packet to redirection server", err)
|
2020-04-10 14:05:15 +00:00
|
|
|
return
|
2020-04-08 21:07:11 +00:00
|
|
|
}
|
2020-04-09 12:41:06 +00:00
|
|
|
go io.Copy(webConn, conn)
|
|
|
|
go io.Copy(conn, webConn)
|
2020-04-08 21:07:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
ci, finishHandshake, err := AuthFirstPacket(data, sta)
|
|
|
|
if err != nil {
|
|
|
|
log.WithFields(log.Fields{
|
|
|
|
"remoteAddr": remoteAddr,
|
|
|
|
"UID": b64(ci.UID),
|
|
|
|
"sessionId": ci.SessionId,
|
|
|
|
"proxyMethod": ci.ProxyMethod,
|
|
|
|
"encryptionMethod": ci.EncryptionMethod,
|
|
|
|
}).Warn(err)
|
|
|
|
goWeb()
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
var sessionKey [32]byte
|
2020-04-14 00:53:28 +00:00
|
|
|
common.RandRead(sta.WorldState.Rand, sessionKey[:])
|
2020-04-08 21:07:11 +00:00
|
|
|
obfuscator, err := mux.MakeObfuscator(ci.EncryptionMethod, sessionKey)
|
|
|
|
if err != nil {
|
|
|
|
log.Error(err)
|
|
|
|
goWeb()
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2020-04-09 15:37:46 +00:00
|
|
|
seshConfig := mux.SessionConfig{
|
|
|
|
Obfuscator: obfuscator,
|
|
|
|
Valve: nil,
|
|
|
|
Unordered: ci.Unordered,
|
|
|
|
MaxFrameSize: appDataMaxLength,
|
|
|
|
}
|
|
|
|
|
2020-04-08 21:07:11 +00:00
|
|
|
// adminUID can use the server as normal with unlimited QoS credits. The adminUID is not
|
|
|
|
// added to the userinfo database. The distinction between going into the admin mode
|
|
|
|
// and normal proxy mode is that sessionID needs == 0 for admin mode
|
|
|
|
if bytes.Equal(ci.UID, sta.AdminUID) && ci.SessionId == 0 {
|
2020-04-09 21:11:12 +00:00
|
|
|
preparedConn, err := finishHandshake(conn, sessionKey, sta.WorldState.Rand)
|
2020-04-08 21:07:11 +00:00
|
|
|
if err != nil {
|
|
|
|
log.Error(err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
log.Trace("finished handshake")
|
|
|
|
sesh := mux.MakeSession(0, seshConfig)
|
|
|
|
sesh.AddConnection(preparedConn)
|
|
|
|
//TODO: Router could be nil in cnc mode
|
|
|
|
log.WithField("remoteAddr", preparedConn.RemoteAddr()).Info("New admin session")
|
2020-04-17 13:21:17 +00:00
|
|
|
err = http.Serve(sesh, usermanager.APIRouterOf(sta.Panel.Manager))
|
2020-04-08 21:07:11 +00:00
|
|
|
if err != nil {
|
|
|
|
log.Error(err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
var user *ActiveUser
|
|
|
|
if sta.IsBypass(ci.UID) {
|
|
|
|
user, err = sta.Panel.GetBypassUser(ci.UID)
|
|
|
|
} else {
|
|
|
|
user, err = sta.Panel.GetUser(ci.UID)
|
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
log.WithFields(log.Fields{
|
|
|
|
"UID": b64(ci.UID),
|
|
|
|
"remoteAddr": remoteAddr,
|
|
|
|
"error": err,
|
|
|
|
}).Warn("+1 unauthorised UID")
|
|
|
|
goWeb()
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2020-04-09 15:37:46 +00:00
|
|
|
sesh, existing, err := user.GetSession(ci.SessionId, seshConfig)
|
2020-04-08 21:07:11 +00:00
|
|
|
if err != nil {
|
|
|
|
user.CloseSession(ci.SessionId, "")
|
|
|
|
log.Error(err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if existing {
|
2020-04-09 21:11:12 +00:00
|
|
|
preparedConn, err := finishHandshake(conn, sesh.SessionKey, sta.WorldState.Rand)
|
2020-04-08 21:07:11 +00:00
|
|
|
if err != nil {
|
|
|
|
log.Error(err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
log.Trace("finished handshake")
|
|
|
|
sesh.AddConnection(preparedConn)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2020-04-09 21:11:12 +00:00
|
|
|
preparedConn, err := finishHandshake(conn, sessionKey, sta.WorldState.Rand)
|
2020-04-08 21:07:11 +00:00
|
|
|
if err != nil {
|
|
|
|
log.Error(err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
log.Trace("finished handshake")
|
|
|
|
|
|
|
|
log.WithFields(log.Fields{
|
|
|
|
"UID": b64(ci.UID),
|
|
|
|
"sessionID": ci.SessionId,
|
|
|
|
}).Info("New session")
|
|
|
|
sesh.AddConnection(preparedConn)
|
|
|
|
|
|
|
|
for {
|
|
|
|
newStream, err := sesh.Accept()
|
|
|
|
if err != nil {
|
|
|
|
if err == mux.ErrBrokenSession {
|
|
|
|
log.WithFields(log.Fields{
|
|
|
|
"UID": b64(ci.UID),
|
|
|
|
"sessionID": ci.SessionId,
|
|
|
|
"reason": sesh.TerminalMsg(),
|
|
|
|
}).Info("Session closed")
|
|
|
|
user.CloseSession(ci.SessionId, "")
|
|
|
|
return
|
|
|
|
} else {
|
|
|
|
// TODO: other errors
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
proxyAddr := sta.ProxyBook[ci.ProxyMethod]
|
2020-04-08 23:34:02 +00:00
|
|
|
localConn, err := sta.ProxyDialer.Dial(proxyAddr.Network(), proxyAddr.String())
|
2020-04-08 21:07:11 +00:00
|
|
|
if err != nil {
|
|
|
|
log.Errorf("Failed to connect to %v: %v", ci.ProxyMethod, err)
|
|
|
|
user.CloseSession(ci.SessionId, "Failed to connect to proxy server")
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
log.Tracef("%v endpoint has been successfully connected", ci.ProxyMethod)
|
|
|
|
|
2020-04-14 12:31:24 +00:00
|
|
|
// if stream has nothing to send to proxy server for sta.Timeout period of time, stream will return error
|
|
|
|
newStream.(*mux.Stream).SetWriteToTimeout(sta.Timeout)
|
2020-04-09 15:37:46 +00:00
|
|
|
go func() {
|
2020-04-14 12:31:24 +00:00
|
|
|
if _, err := common.Copy(localConn, newStream); err != nil {
|
2020-04-12 22:01:30 +00:00
|
|
|
log.Tracef("copying stream to proxy server: %v", err)
|
2020-04-09 15:37:46 +00:00
|
|
|
}
|
|
|
|
}()
|
2020-04-14 12:31:24 +00:00
|
|
|
|
2020-04-09 15:37:46 +00:00
|
|
|
go func() {
|
2020-04-14 12:31:24 +00:00
|
|
|
if _, err := common.Copy(newStream, localConn); err != nil {
|
2020-04-12 22:01:30 +00:00
|
|
|
log.Tracef("copying proxy server to stream: %v", err)
|
2020-04-09 15:37:46 +00:00
|
|
|
}
|
|
|
|
}()
|
2020-04-08 21:07:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
}
|